wip

edewata · edewata · commit cc1fa53a899f · 2025-02-24T22:31:17.000-06:00
diff --git a/.github/workflows/tomcat-https-default-test.yml b/.github/workflows/tomcat-https-default-test.yml
@@ -56,11 +56,20 @@ jobs:
         run: |
           docker cp /tmp/RPMS/. server:/root/RPMS/
           docker exec server bash -c "dnf install -y /root/RPMS/*"
+          docker exec server dnf install -y xmlstarlet
 
       - name: Create Tomcat
         run: |
           docker exec server pki-server create -v
 
+      - name: Configure JSS logging
+        run: |
+          docker exec server sed -i \
+              "s/^\(org.mozilla.jss.level\) *=.*/\1 = INFO/" \
+              /var/lib/pki/pki-tomcat/conf/logging.properties
+
+          docker exec server cat /var/lib/pki/pki-tomcat/conf/logging.properties
+
       - name: Create NSS database in Tomcat
         run: |
           docker exec server pki-server nss-create --no-password
@@ -151,6 +160,8 @@ jobs:
               -d '/document/ssltest/*[not(self::protocol)]' \
               sslscan.xml | tee actual
 
+          diff expected actual
+
       - name: Check ciphers
         run: |
           # only TLS1.2 and TLS 1.3 ciphers should be supported
@@ -247,6 +258,48 @@ jobs:
 
           diff expected actual
 
+      - name: Set ciphers to TLS_AES_256_GCM_SHA384
+        run: |
+          docker exec server xmlstarlet edit --inplace \
+              -u "//SSLHostConfig/@ciphers" \
+              -v "TLS_AES_256_GCM_SHA384" \
+              -i "//SSLHostConfig[not(@ciphers)]" \
+              -t attr \
+              -n "ciphers" \
+              -v "TLS_AES_256_GCM_SHA384" \
+              /etc/pki/pki-tomcat/server.xml
+
+          docker exec server cat /etc/pki/pki-tomcat/server.xml
+
+      - name: Restart Tomcat
+        run: |
+          docker exec server pki-server restart --wait -v
+
+      - name: Run sslscan
+        run: |
+          docker exec client sslscan \
+              --xml=$SHARED/sslscan.xml \
+              server.example.com:8443
+          cat sslscan.xml
+
+      - name: Check ciphers
+        run: |
+          cat > expected << EOF
+          <?xml version="1.0" encoding="UTF-8"?>
+          <document>
+            <ssltest host="server.example.com" sniname="server.example.com" port="8443">
+              <cipher status="accepted" sslversion="TLSv1.3" bits="256" cipher="TLS_AES_256_GCM_SHA384" id="0x1302" strength="strong" curve="25519" ecdhebits="253"/>
+            </ssltest>
+          </document>
+          EOF
+
+          xmlstarlet ed \
+              -d '/document/@*' \
+              -d '/document/ssltest/*[not(self::cipher)]' \
+              sslscan.xml | tee actual
+
+          diff expected actual
+
       - name: Stop Tomcat
         run: |
           docker exec server pki-server stop --wait -v
diff --git a/base/src/main/java/org/mozilla/jss/provider/javax/net/JSSContextSpi.java b/base/src/main/java/org/mozilla/jss/provider/javax/net/JSSContextSpi.java
@@ -1,20 +1,28 @@
 package org.mozilla.jss.provider.javax.net;
 
-import java.security.*;
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 
-import javax.net.ssl.*;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContextSpi;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+import org.mozilla.jss.ssl.SSLVersion;
 import org.mozilla.jss.ssl.javax.JSSEngine;
 import org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl;
 import org.mozilla.jss.ssl.javax.JSSParameters;
 import org.mozilla.jss.ssl.javax.JSSServerSocketFactory;
 import org.mozilla.jss.ssl.javax.JSSSocketFactory;
-import org.mozilla.jss.ssl.SSLVersion;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class JSSContextSpi extends SSLContextSpi {
     public static Logger logger = LoggerFactory.getLogger(JSSContextSpi.class);
@@ -26,7 +34,7 @@ public class JSSContextSpi extends SSLContextSpi {
 
     @Override
     public void engineInit(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
-        logger.debug("JSSContextSpi.engineInit(" + kms + ", " + tms + ", " + sr + ")");
+        logger.warn("JSSContextSpi.engineInit(" + kms + ", " + tms + ", " + sr + ")");
 
         if (kms != null) {
             for (KeyManager km : kms) {
@@ -51,7 +59,7 @@ public void engineInit(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) th
 
     @Override
     public SSLEngine engineCreateSSLEngine() {
-        logger.debug("JSSContextSpi.engineCreateSSLEngine()");
+        logger.warn("JSSContextSpi.engineCreateSSLEngine()");
 
         JSSEngine ret = new JSSEngineReferenceImpl();
         initializeEngine(ret);
@@ -61,7 +69,7 @@ public SSLEngine engineCreateSSLEngine() {
 
     @Override
     public SSLEngine engineCreateSSLEngine(String host, int port) {
-        logger.debug("JSSContextSpi.engineCreateSSLEngine(" + host + ", " + port + ")");
+        logger.warn("JSSContextSpi.engineCreateSSLEngine(" + host + ", " + port + ")");
 
         JSSEngine ret = new JSSEngineReferenceImpl(host, port);
         initializeEngine(ret);
@@ -80,13 +88,13 @@ private void initializeEngine(JSSEngine eng) {
 
     @Override
     public SSLSessionContext engineGetClientSessionContext() {
-        logger.debug("JSSContextSpi.engineGetClientSessionContext() - not implemented");
+        logger.warn("JSSContextSpi.engineGetClientSessionContext() - not implemented");
         return null;
     }
 
     @Override
     public SSLSessionContext engineGetServerSessionContext() {
-        logger.debug("JSSContextSpi.engineGetServerSessionContext() - not implemented");
+        logger.warn("JSSContextSpi.engineGetServerSessionContext() - not implemented");
         return null;
     }
 
@@ -97,7 +105,7 @@ public SSLServerSocketFactory engineGetServerSocketFactory() {
             protocol = protocol_version.jdkAlias();
         }
 
-        logger.debug("JSSContextSpi.engineGetServerSocketFactory() @ " + protocol);
+        logger.warn("JSSContextSpi.engineGetServerSocketFactory() @ " + protocol);
         return new JSSServerSocketFactory(protocol, key_manager, trust_managers);
     }
 
@@ -108,7 +116,7 @@ public SSLSocketFactory engineGetSocketFactory() {
             protocol = protocol_version.jdkAlias();
         }
 
-        logger.debug("JSSContextSpi.engineGetSocketFactory() @ " + protocol);
+        logger.warn("JSSContextSpi.engineGetSocketFactory() @ " + protocol);
         return new JSSSocketFactory(protocol, key_manager, trust_managers);
     }
 
diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngine.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngine.java
@@ -371,6 +371,9 @@ public JSSParameters getSSLParameters() {
      */
     @Override
     public void setSSLParameters(SSLParameters params) {
+
+        logger.warn("JSSEngine: setSSLParameters()");
+
         JSSParameters parsed;
 
         // Try to cast the passed parameter into a JSSParameters. This has
@@ -517,6 +520,14 @@ public void setCertFromAlias(String alias) throws IllegalArgumentException {
      */
     @Override
     public void setEnabledCipherSuites(String[] suites) throws IllegalArgumentException {
+
+        logger.warn("JSSEngine: setEnabledCipherSuites()");
+        if (suites != null) {
+            for (String suite : suites) {
+                logger.warn("JSSEngine: - " + suite);
+            }
+        }
+
         JSSParameters parser = new JSSParameters();
         parser.setCipherSuites(suites);
 
@@ -528,6 +539,14 @@ public void setEnabledCipherSuites(String[] suites) throws IllegalArgumentExcept
      * instances.
      */
     public void setEnabledCipherSuites(SSLCipher[] suites) throws IllegalArgumentException {
+
+        logger.warn("JSSEngine: setEnabledCipherSuites()");
+        if (suites != null) {
+            for (SSLCipher suite : suites) {
+                logger.warn("JSSEngine: - " + suite);
+            }
+        }
+
         if (ssl_fd != null) {
             String msg = "Unable to process setEnabledCipherSuites(...) ";
             msg += "after handshake has started!";
@@ -639,11 +658,11 @@ public String[] getSupportedCipherSuites() {
      */
     @Override
     public void setEnabledProtocols(String[] protocols) throws IllegalArgumentException {
-        logger.debug("JSSEngine: setEnabledProtocols(");
+        logger.warn("JSSEngine: setEnabledProtocols(");
         for (String protocol : protocols) {
-            logger.debug("\t" + protocol + ",");
+            logger.warn("\t" + protocol + ",");
         }
-        logger.debug(")");
+        logger.warn(")");
 
         JSSParameters parser = new JSSParameters();
         parser.setProtocols(protocols);
diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSParameters.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSParameters.java
@@ -1,9 +1,16 @@
 package org.mozilla.jss.ssl.javax;
 
-import javax.net.ssl.*;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.EventListener;
 
-import org.mozilla.jss.ssl.*;
+import javax.net.ssl.SSLParameters;
+
+import org.mozilla.jss.ssl.SSLCipher;
+import org.mozilla.jss.ssl.SSLVersion;
+import org.mozilla.jss.ssl.SSLVersionRange;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * JSSParameters is an implementation of SSLParameters to interoperate
@@ -22,6 +29,9 @@
  * used to find the certificate.
  */
 public class JSSParameters extends SSLParameters {
+
+    public static Logger logger = LoggerFactory.getLogger(JSSParameters.class);
+
     private SSLCipher[] suites;
     private SSLVersionRange range;
     private String alias;
@@ -72,6 +82,13 @@ public void setCipherSuites(String[] cipherSuites) throws IllegalArgumentExcepti
             return;
         }
 
+        logger.warn("JSSParameters: setEnabledCipherSuites()");
+        if (suites != null) {
+            for (String suite : cipherSuites) {
+                logger.warn("JSSParameters: - " + suite);
+            }
+        }
+
         ArrayList<SSLCipher> converted = new ArrayList<>();
         for (String cipherSuite : cipherSuites) {
             try {
diff --git a/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSContext.java b/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSContext.java
@@ -60,7 +60,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
 
     @Override
     public javax.net.ssl.SSLEngine createSSLEngine() {
-        logger.debug("JSSContext.createSSLEngine()");
+        logger.warn("JSSContext.createSSLEngine()");
         javax.net.ssl.SSLEngine eng = ctx.createSSLEngine();
 
 	TomcatJSS instance = TomcatJSS.getInstance();
@@ -71,6 +71,15 @@ public javax.net.ssl.SSLEngine createSSLEngine() {
             if(instance != null) {
                 j_eng.setListeners(instance.getSocketListeners());
             }
+
+            //String[] ciphers = instance.getCiphers();
+            //logger.warn("JSSContext.setEnabledCipherSuites()");
+            //if (ciphers != null) {
+            //    for (String cipher : ciphers) {
+            //        logger.warn("JSSContext: - " + cipher);
+            //    }
+            //}
+            //j_eng.setEnabledCipherSuites(ciphers);
         }
 
         return eng;
diff --git a/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSNioEndpoint.java b/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSNioEndpoint.java
@@ -53,6 +53,7 @@
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.net.NioChannel;
 import org.apache.tomcat.util.net.NioEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SocketBufferHandler;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 
@@ -126,8 +127,24 @@ protected boolean setSocketOptions(SocketChannel socket) {
 
     }
     @Override
-    protected SSLEngine createSSLEngine(String arg0, List<Cipher> arg1, List<String> arg2) {
-        return super.createSSLEngine(arg0, arg1, arg2);
+    protected SSLEngine createSSLEngine(
+            String sniHostName,
+            List<Cipher> clientRequestedCiphers,
+            List<String> clientRequestedApplicationProtocols) {
+
+        log.warn("JSSNioEndpoint: createSSLEngine()");
+        log.warn("JSSNioEndpoint: - SNI hostname: " + sniHostName);
+
+        SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
+        log.warn("JSSNioEndpoint: - ciphers:");
+        String[] ciphers = sslHostConfig.getEnabledCiphers();
+        if (ciphers != null) {
+            for (String cipher : ciphers) {
+                log.warn("JSSNioEndpoint:   - " + cipher);
+            }
+        }
+
+        return super.createSSLEngine(sniHostName, clientRequestedCiphers, clientRequestedApplicationProtocols);
     }
 
 }
diff --git a/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSUtil.java b/tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSUtil.java
diff --git a/tomcat/src/main/java/org/dogtagpki/jss/tomcat/TomcatJSS.java b/tomcat/src/main/java/org/dogtagpki/jss/tomcat/TomcatJSS.java
